By Chris Cardinal on December 17th, 2012
UPDATE, 12/18/2012: Amazon emailed me this morning to tell me they’ve terminated my account and let me know that I may have been phished. I was also told by the other woman I reference in this post that her account had been terminated as well. My Amazon Web Services account is in limbo, so I’ll be posting more about this shortly.
UPDATE #2, 12/18/2012 PM: It appears that the termination email was inaccurate. The account was only “frozen” and has since been restored to me, thankfully. (And moved to a different email address.) I’m following up with the other Amazon user to see if she’s had a similar outcome.
Someone has devised a relatively simple way of defrauding Amazon.com and they require very little hard information to pull it off. While this story is still developing, I’m writing this up in an effort to make Amazon aware of the problem and hopefully help them tighten their call center and live chat security.
You may recall that Amazon was implicated as the weak link in the Mat Honan iCloud hack, wherein a gadgets blogger had his entire online identity nuked from orbit because Amazon gave up the secondary identifying information necessary to issue a password reset over at Apple. (The last four of your credit card, incidentally.) I’m sad to say that Amazon has clearly not improved their authentication protocols in any meaningful way, but this time it’s hurting them directly.
I woke up this morning to find four tightly spaced emails from Amazon apologizing for the premature termination of our live chat session. They all differed slightly but were along the lines of “I couldn’t gather enough information to take action.” At first, I figured this was a bizarre phishing scheme, but the post-chat emails were true to Amazon’s normal format and linked to valid Amazon post-chat survey links. I did notice that the emails were being sent to my name with a dot bisecting the first and last name: GMail is “dot-blind”. You can literally email [email protected] and it would get through to the [email protected] account with no issues. But Amazon is NOT dot blind. [email protected] is a distinct Amazon account from htmlist@gmail[email protected], even though the email account is the same. (Because many providers are NOT dot-blind, this is actually normal practice.)
This was of particular interest to me as I have never given out my email address with a dot in it. Ever. More on that soon.
Finally, the last email indicated that “I did check on your account and found that no orders are present on this account. However if you’ll be able to provide us the order numbers, we’ll be able to proceed from there.” Someone is sniffing out order numbers.
Something wicked this way comes
Two hours later I received yet another post-chat email from Amazon Customer Service. Here it is:
Posted in: Rants